image
Joseph "PlugwalkJoe" O'Connor, in a photo from a paid press release on Sept. 02, 2020, pitching him as a trustworthy cryptocurrency expert and advisor. One day after last summer's mass-hack of Twitter, KrebsOnSecurity wrote that 22-year-old British citizen Joseph "PlugwalkJoe" O'Connor appeared to have been involved in the incident. When the U.S. Justice Department last week announced O'Connor's arrest and indictment, his alleged role in the Twitter compromise was well covered in the media. But most of the coverage seems to have overlooked the far more sinister criminal charges in the indictment, which involve an underground scene wherein young men turn to extortion, sextortion, SIM swapping, death threats and physical attacks — all in a frenzied effort to seize control over social media accounts. Skim the government's indictment and you might overlook a footnote on Page 4 that says O'Connor is part of a group that had exactly zero reservations about using their playbook of harassment tactics against federal agents who were already investigating their alleged crimes. "O'Connor has potentially been linked to additional prior swatting incidents and possibly (although not confirmed and currently still under investigation) the swatting of a U.S. law enforcement officer," the footnote reads. Swatting involves making a false report to authorities in a target's name with the intention of sending a heavily armed police force to that person's address. It's a potentially deadly…

Source

image
Malware authors are increasingly using rarely spotted programming languages such as Go, Rust, Nim and DLang in order to create new tools and to hinder analysis, researchers have found. Use of those four languages is escalating in the number of malware families being identified, according to a report published on Monday by BlackBerry Research and Intelligence Team. The team chose those four languages to examine, partly because they fit its detection methodologies, but also since the languages have strong community backing and could be considered more developed. “These uncommon programming languages are no longer as rarely used as once thought,” according to the writeup. “Threat actors have begun to adopt them to rewrite known malware families or create tools for new malware sets.” Specifically, researchers are tracking more loaders and droppers being written in rarer languages. “These new first-stage pieces of malware are designed to decode, load, and deploy commodity malware such as the Remcos and NanoCore Remote Access Trojans (RATs), as well as Cobalt Strike,” according to the report. “They have been commonly used to help threat actors evade detection on the endpoint.” In fact, the use of the legitimate Cobalt Strike security tool has exploded: Its usage in cyberattacks is up 161 percent year-over-year, having gone fully mainstream in the crimeware world. The Dark Side of Innovation Malware makers might have a reputation for being slow to let go of whatever’s working,…

Source

image
One of the most damaging myths about ransomware attacks is, “If your company does regular system backups, you don’t have to worry. Just restore from the backup.” While system backups are crucial — power outages, natural disasters, or even mistakes by employees can destroy data just as quickly as a cyberattack — they’re not a silver bullet. Recovering from a ransomware attack involves more than restoring systems and data. What does ransomware recovery really look like? To find out, Keeper Security surveyed 2,000 employees across the U.S. whose organizations had been victimized by ransomware in the previous 12 months. Here’s what they found. Nearly one-third of companies got hit by trains they never saw coming. Over the past year, ransomware attacks have earned a near-permanent spot on the front page of every newspaper in the country. Yet 29% of respondents to Keeper’s survey had no idea what ransomware was until their organizations were hit by it. This indicates that many employers are not providing their workers with adequate cybersecurity training. That’s especially concerning because the majority of attacks involved social engineering schemes including phishing emails (42%), malicious websites, (23%) and compromised passwords (21%). Ransomware recovery isn’t painless. It brings on changes, many of them quite disruptive. Restoring data and systems from backup is only the beginning of ransomware recovery. Organizations need to harden systems to prevent future attacks, as…

Source

image
Discord has a malware problem. And although the platform is predominantly used by gamers, it turns out even users who have never interacted with Discord are at risk. Discord creates servers or specific groups or communities of users who can send voice, text and other media messages between one another quickly. Researchers say there has been a massive uptick in the number of found Discord malware detections compared to last year. In a report released by Sophos, it claims incidents have jumped 140 times compared to 2020. The primary culprit in the Discord jump is its content delivery network (CDN) and application programming interface (API) – both tools cybercriminals have been abusing. Discord’s CDN is being abused to host malware, while its API is being leveraged to exfiltrate stolen data and facilitate hacker command-and-control channels, Sophos added. Because Discord is heavily trafficked by younger gamers playing Fortnite, Minecraft and Roblox, a lot of the malware floating around amounts to little more than pranking, such as the use of code to crash an opponent’s game, Sophos explained. But the spike in info stealers and remote access trojans is more is more alarming, it added. Discord Credential Stealers, RATs “But the greatest percentage of the malware we found have a focus on credential and personal information theft, a wide variety of stealer malware as well as more versatile RATs,” the report said. “The threat actors behind these operations employed social…

Source

image
The ransomware landscape is evolving, and ransomware is now one of the most popular (for cybercriminals) and damaging types of malwares. The JBS, Colonial Pipeline and Kaseya attacks are the recent high-profile examples of the impact of ransomware and the monumental consequences it can have: Shifts in the market, impact on infrastructure and even leading to action at the highest levels of government. In the wake of these attacks and other events like the SolarWinds attack, the executive branch has taken action in the form of an executive order (EO), which covers several cybersecurity concepts. This order encourages private sector companies to follow the Federal government’s lead to help minimize the impact of future incidents. There are several different concepts outlined in the EO, so to help organizations get started, I’ve outlined some of the key concepts that organizations should be paying attention to now and offer a few tips on how you can start implementing these strategies today. 1. Adopt a “Zero-Security” Posture Towards Ransomware One of the orders that stood out to me is the “Modernize and Implement Stronger Cybersecurity Standards in the Federal Government” requirement. This aims to move the Federal Government to increase and adopt better security practices with zero-trust security, accelerating movement to secure cloud services, and the deployment of multifactor authentication and encryption. At Veritas, we counsel enterprises to adopt what we call a…

Source

image
Financial cybercrime gang FIN7 has rebounded after the jailing of some key members, launching a campaign that uses as a lure a legal complaint involving the liquor company that owns Jack Daniels whiskey. The gambit successfully compromised at least one law firm, giving them a shot of the JSSLoader remote-access trojan (RAT), researchers said. According to eSentire’s Threat Response Unit (TRU), the successful breach for FIN7 (aka Carbanak Group or Navigator Group) was part of a wider, non-targeted email campaign. It purports to relate to a legal complaint centering around liquor giant Brown-Forman. “One of the victims of the malicious legal complaint campaign was a law firm,” researchers said in a posting this week. “The lure successfully bypassed the law firm’s email filters, and it was not detected as suspicious by any of the firm’s employees.” The ultimate purpose of installing the backdoor is unclear. FIN7 usually carries out targeted attacks on point-of-sale systems at casual-dining restaurants, casinos and hotels; or, it infiltrates systems to steal bank-card data and sell it. Since 2020, it has also added ransomware/data exfiltration attacks to its mix, carefully selecting targets according to revenue using the ZoomInfo service. “It is plausible that proficient financial cybercrime groups, such as FIN7, are providing initial access to seasoned ransomware groups, such as REvil (aka Sodinokibi), Ryuk, etc. as a way to monetize their access,” according to TRU. Savvy…

Source

image
Kaseya has obtained a master decryptor key for the REvil ransomware that locked up the systems of at least 60 of its customers in a spate of worldwide cyberattacks on July 2. The attacks, which exploited now-patched zero-days in the Kaseya Virtual System/Server Administrator (VSA) platform, affected Kaseya customers in 22 countries using the on-premises version of the platform – many of which are managed service providers (MSPs) who use VSA to manage the networks of other businesses. In addition to the 60 direct customers, around 1,500 downstream customers of those MSPs were also affected. The VSA software is used by Kaseya customers to remotely monitor and manage software and network infrastructure. In the wake of the attacks, the REvil gang (aka Sodinokibi) demanded $70 million for a universal public decryption key that will remediate all impacted victims – a price that one researcher said was eventually lowered to $50 million. Late on Thursday afternoon, the vendor announced via its rolling advisory on the incident that it had obtained the decryptor “through a third party.” It’s unclear if the ransom was indeed paid. “We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” it said. “Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key…

Source

image
The Tokyo Olympics, set to open Friday night, are already being targeted by threat actors — however, the Federal Bureau of Investigation’s Cyber Division has issued a chilling warning the Games’ TV broadcast is likely to be plagued by attacks, since it will be the only way to view events now that spectators have been barred due to COVID-19 concerns. “Adversaries could use social-engineering and phishing campaigns in the leadup to the event to obtain access or use previously obtained access to implant malware to disrupt affected networks during the event,” the FBI notification said. “Social-engineering and phishing campaigns continue to provide adversaries with the access needed to carry out such attacks.” The FBI added that in general, the Olympics will attract both run-of-the-mill cybercriminals and nation-state actors who want to “make money, sow confusion, increase their notoriety, discredit adversaries and advance ideological goals.” The same day the FBI released its warning, the personal data of volunteers and ticket purchasers for the Tokyo Olympics was leaked online. The 2018 PyeongChang Winter Olympics was crushed by relentless attacks, including the Olympic Destroyer attack on the Games’ Opening Ceremony, the FBI pointed out. It warned athletes, visitors, press and others to be on the look-out for spear-phishing campaigns and malicious links that could trigger ransomware, distributed denial of service (DDoS) and other cyberattacks. ISPs, Broadcast Networks Warned …

Source

image
The Milanote app, billed as the “Evernote for creatives” by reviewers, has attracted the notice of cybercriminals who are abusing it to carry out credential-stealing campaigns that skate past secure email gateways (SEGs), researchers said. Milanote is a tool for organizing and collaborating on creative projects. Users can arrange their projects into handy visual boards that can be shared and collaboratively edited, with the ability to add notes, images, links, files and so on. It counts several heavy hitters as customers, including Chanel, Facebook, Google, Nike and Uber, among many others. According to analysis from Avanan released Thursday, attackers are looking to hook victims by starting off with a simple email. It has the subject line, “Invoice for Project Proposal.” The email body is pretty bare-bones, saying only, “Hello. See attached invoice for the above referenced project. Please contact me if you have questions or need additional information. Thank you.” It doesn’t contain any personalization, logos or other social-engineering aspects. “The email itself is pretty standard issue,” Gil Friedrich, CEO and co-founder of Avanan, told Threatpost in an interview. “It gets attention with the subject of ‘Invoice for Project Proposal.’ It’s certainly not the most sophisticated effort in the world, however, it understands what emails can get past static scanners, including, in this case, Milanote.” Should a target open the attachment, a document opens that contains one…

Source

image
Atlassian has dropped a patch for a critical vulnerability in many versions of its Jira Data Center and Jira Service Management Data Center products, which can lead to arbitrary code execution. Atlassian is a platform that’s used by 180,000 customers to engineer software and manage projects, and Jira is its proprietary bug-tracking and agile project-management tool. On Wednesday, Atlassian issued a security advisory concerning the vulnerability, which is tracked as CVE-2020-36239. The bug could enable remote, unauthenticated attackers to execute arbitrary code in some Jira Data Center products. BleepingComputer got ahold of an email Atlassian sent to enterprise customers on Wednesday that urged them to update ASAP. The vulnerability has to do with a missing authentication check in Jira’s implementation of Ehcache, which is an open-source, Java distributed cache for general-purpose caching, Java EE and lightweight containers that’s used for performance and which simplifies scalability. Atlassian said that the bug was introduced in version 6.3.0 of Jira Data Center, Jira Core Data Center, Jira Software Data Center and Jira Service Management Data Center (known as Jira Service Desk prior to 4.14). According to Atlassian’s security advisory, that list of products exposed a Ehcache remote method invocation (RMI) network service that attackers – who can connect to the service on port 40001 and potentially 40011 – could use to “execute arbitrary code of their choice in Jira”…

Source